net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch - mirrors/cros/chromiumos/overlays/portage-stable - Git at Google

 http://bugs.gentoo.org/165444
 https://bugzilla.mindrot.org/show_bug.cgi?id=1008

 Index: readconf.c
 ===================================================================
 RCS file: /cvs/openssh/readconf.c,v
 retrieving revision 1.135
 diff -u -r1.135 readconf.c
 --- readconf.c	5 Aug 2006 02:39:40 -0000	1.135
 +++ readconf.c	19 Aug 2006 11:59:52 -0000
 @@ -126,6 +126,7 @@
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
 +	oGssTrustDns,
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
  	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
 @@ -163,9 +164,11 @@
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
 +	{ "gssapitrustdns", oGssTrustDns },
  #else
  	{ "gssapiauthentication", oUnsupported },
  	{ "gssapidelegatecredentials", oUnsupported },
 +	{ "gssapitrustdns", oUnsupported },
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
 @@ -444,6 +447,10 @@
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;

 +	case oGssTrustDns:
 +		intptr = &options->gss_trust_dns;
 +		goto parse_flag;
 +
  	case oBatchMode:
  		intptr = &options->batch_mode;
  		goto parse_flag;
 @@ -1010,6 +1017,7 @@
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
 +	options->gss_trust_dns = -1;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
 @@ -1100,6 +1108,8 @@
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
 +	if (options->gss_trust_dns == -1)
 +		options->gss_trust_dns = 0;
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
 Index: readconf.h
 ===================================================================
 RCS file: /cvs/openssh/readconf.h,v
 retrieving revision 1.63
 diff -u -r1.63 readconf.h
 --- readconf.h	5 Aug 2006 02:39:40 -0000	1.63
 +++ readconf.h	19 Aug 2006 11:59:52 -0000
 @@ -45,6 +45,7 @@
  					/* Try S/Key or TIS, authentication. */
  	int     gss_authentication;	/* Try GSS authentication */
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
 +	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
  	int     password_authentication;	/* Try password
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 Index: ssh_config.5
 ===================================================================
 RCS file: /cvs/openssh/ssh_config.5,v
 retrieving revision 1.97
 diff -u -r1.97 ssh_config.5
 --- ssh_config.5	5 Aug 2006 01:34:51 -0000	1.97
 +++ ssh_config.5	19 Aug 2006 11:59:53 -0000
 @@ -483,7 +483,16 @@
  Forward (delegate) credentials to the server.
  The default is
  .Dq no .
 -Note that this option applies to protocol version 2 only.
 +Note that this option applies to protocol version 2 connections using GSSAPI.
 +.It Cm GSSAPITrustDns
 +Set to
 +.Dq yes to indicate that the DNS is trusted to securely canonicalize
 +the name of the host being connected to. If
 +.Dq no, the hostname entered on the
 +command line will be passed untouched to the GSSAPI library.
 +The default is
 +.Dq no .
 +This option only applies to protocol version 2 connections using GSSAPI.
  .It Cm HashKnownHosts
  Indicates that
  .Xr ssh 1
 Index: sshconnect2.c
 ===================================================================
 RCS file: /cvs/openssh/sshconnect2.c,v
 retrieving revision 1.151
 diff -u -r1.151 sshconnect2.c
 --- sshconnect2.c	18 Aug 2006 14:33:34 -0000	1.151
 +++ sshconnect2.c	19 Aug 2006 11:59:53 -0000
 @@ -499,6 +499,12 @@
  	static u_int mech = 0;
  	OM_uint32 min;
  	int ok = 0;
 +	const char *gss_host;
 +
 +	if (options.gss_trust_dns)
 +		gss_host = get_canonical_hostname(1);
 +	else
 +		gss_host = authctxt->host;

  	/* Try one GSSAPI method at a time, rather than sending them all at
  	 * once. */
 @@ -511,7 +517,7 @@
  		/* My DER encoding requires length<128 */
  		if (gss_supported->elements[mech].length < 128 &&
  		    ssh_gssapi_check_mechanism(&gssctxt,
 -		    &gss_supported->elements[mech], authctxt->host)) {
 +		    &gss_supported->elements[mech], gss_host)) {
  			ok = 1; /* Mechanism works */
  		} else {
  			mech++;
	http://bugs.gentoo.org/165444
	https://bugzilla.mindrot.org/show_bug.cgi?id=1008

	Index: readconf.c
	===================================================================
	RCS file: /cvs/openssh/readconf.c,v
	retrieving revision 1.135
	diff -u -r1.135 readconf.c
	--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
	+++ readconf.c 19 Aug 2006 11:59:52 -0000
	@@ -126,6 +126,7 @@
	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
	+ oGssTrustDns,
	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
	@@ -163,9 +164,11 @@
	#if defined(GSSAPI)
	{ "gssapiauthentication", oGssAuthentication },
	{ "gssapidelegatecredentials", oGssDelegateCreds },
	+ { "gssapitrustdns", oGssTrustDns },
	#else
	{ "gssapiauthentication", oUnsupported },
	{ "gssapidelegatecredentials", oUnsupported },
	+ { "gssapitrustdns", oUnsupported },
	#endif
	{ "fallbacktorsh", oDeprecated },
	{ "usersh", oDeprecated },
	@@ -444,6 +447,10 @@
	intptr = &options->gss_deleg_creds;
	goto parse_flag;

	+ case oGssTrustDns:
	+ intptr = &options->gss_trust_dns;
	+ goto parse_flag;
	+
	case oBatchMode:
	intptr = &options->batch_mode;
	goto parse_flag;
	@@ -1010,6 +1017,7 @@
	options->challenge_response_authentication = -1;
	options->gss_authentication = -1;
	options->gss_deleg_creds = -1;
	+ options->gss_trust_dns = -1;
	options->password_authentication = -1;
	options->kbd_interactive_authentication = -1;
	options->kbd_interactive_devices = NULL;
	@@ -1100,6 +1108,8 @@
	options->gss_authentication = 0;
	if (options->gss_deleg_creds == -1)
	options->gss_deleg_creds = 0;
	+ if (options->gss_trust_dns == -1)
	+ options->gss_trust_dns = 0;
	if (options->password_authentication == -1)
	options->password_authentication = 1;
	if (options->kbd_interactive_authentication == -1)
	Index: readconf.h
	===================================================================
	RCS file: /cvs/openssh/readconf.h,v
	retrieving revision 1.63
	diff -u -r1.63 readconf.h
	--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
	+++ readconf.h 19 Aug 2006 11:59:52 -0000
	@@ -45,6 +45,7 @@
	/* Try S/Key or TIS, authentication. */
	int gss_authentication; /* Try GSS authentication */
	int gss_deleg_creds; /* Delegate GSS credentials */
	+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
	int password_authentication; /* Try password
	* authentication. */
	int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
	Index: ssh_config.5
	===================================================================
	RCS file: /cvs/openssh/ssh_config.5,v
	retrieving revision 1.97
	diff -u -r1.97 ssh_config.5
	--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
	+++ ssh_config.5 19 Aug 2006 11:59:53 -0000
	@@ -483,7 +483,16 @@
	Forward (delegate) credentials to the server.
	The default is
	.Dq no .
	-Note that this option applies to protocol version 2 only.
	+Note that this option applies to protocol version 2 connections using GSSAPI.
	+.It Cm GSSAPITrustDns
	+Set to
	+.Dq yes to indicate that the DNS is trusted to securely canonicalize
	+the name of the host being connected to. If
	+.Dq no, the hostname entered on the
	+command line will be passed untouched to the GSSAPI library.
	+The default is
	+.Dq no .
	+This option only applies to protocol version 2 connections using GSSAPI.
	.It Cm HashKnownHosts
	Indicates that
	.Xr ssh 1
	Index: sshconnect2.c
	===================================================================
	RCS file: /cvs/openssh/sshconnect2.c,v
	retrieving revision 1.151
	diff -u -r1.151 sshconnect2.c
	--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
	+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
	@@ -499,6 +499,12 @@
	static u_int mech = 0;
	OM_uint32 min;
	int ok = 0;
	+ const char *gss_host;
	+
	+ if (options.gss_trust_dns)
	+ gss_host = get_canonical_hostname(1);
	+ else
	+ gss_host = authctxt->host;

	/* Try one GSSAPI method at a time, rather than sending them all at
	* once. */
	@@ -511,7 +517,7 @@
	/* My DER encoding requires length<128 */
	if (gss_supported->elements[mech].length < 128 &&
	ssh_gssapi_check_mechanism(&gssctxt,
	- &gss_supported->elements[mech], authctxt->host)) {
	+ &gss_supported->elements[mech], gss_host)) {
	ok = 1; /* Mechanism works */
	} else {
	mech++;